I managed to solve this (the hard way). After rebooting many times,
I noticed that my rc.firewall did run and that
echo 1 > /proc/sys/net/ipv4/ip_forward
always had a zero(0) value which drove me nuts. And then I did some
checking in /etc/sysconfig/ and noticed that network had the key
FORWARD_IPV4="no" instead of "yes"... Ughh!
I hear this is only a Redhat/Mandrake only "feature".
I guess this happened after running 'msec 4', but it did not bother
to tell me that. It also never informed me when it disabled all my
/etc/hosts.allow rules.
To Mandrake, please let the users know what is happening when 'msec'
is executed. And even more, add a '--test' option to make no changes
but tell what *would be* done without this option.
> Daniel Woods wrote:
> >
> > > So after wasting/playing 4 hours trying to understand
> > > ipchains and correct it to secure it, I've run into a
> > > problem. I have set ipchains to forward MASQ 192.168.1.0
> > > and deny everything else... (/etc/rc.d/rc.firewall)
> > >
> > > ==== start ====
> > > # Needed to initially load modules
> > > /sbin/depmod -a
> > > # Supports the proper masquerading of FTP transfers (active and passive)
> > > /sbin/modprobe ip_masq_ftp
> > > #
> > > # ----------------------------------------------------------------------------
> > > # Enable IP Forwarding, if it isn't already
> > > echo 1 > /proc/sys/net/ipv4/ip_forward
> > >
> > > # Enable TCP SYN Cookie Protection
> > > echo 1 > /proc/sys/net/ipv4/tcp_syncookies
> > >
> > > # Enable always defragging Protection
> > > echo 1 > /proc/sys/net/ipv4/ip_always_defrag
> > >
> > > # Enable broadcast echo Protection
> > > echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
> > >
> > > # Enable bad error message Protection
> > > echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
> > >
> > > # Enable IP spoofing protection
> > > # turn on Source Address Verification
> > > for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
> > > echo 1 > $f
> > > done
> > >
> > > # Disable ICMP Redirect Acceptance
> > > for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
> > > echo 0 > $f
> > > done
> > >
> > > # Disable Source Routed Packets
> > > for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
> > > echo 0 > $f
> > > done
> > >
> > > # Log Spoofed Packets, Source Routed Packets, Redirect Packets
> > > for f in /proc/sys/net/ipv4/conf/*/log_martians; do
> > > echo 1 > $f
> > > done
> > > # ----------------------------------------------------------------------------
> > > #
> > > # MASQ timeouts
> > > /sbin/ipchains -M -S 7200 10 160
> > >
> > > # Configuration line for DHCP configured server
> > > /sbin/ipchains -A input -i eth0 -p udp -s 0/0 67 -d 0/0 68 -j ACCEPT
> > >
> > > # Simple IP forwarding and Masquerading
> > > /sbin/ipchains -P forward DENY
> > > /sbin/ipchains -A forward -s 192.168.1.0/24 -j MASQ # local network
> > > # /sbin/ipchains -A forward -s 10.10.10.10 -j MASQ # VPN
> > >
> > > ==== end ====
> > >
> > > This used to work for the local network (NT and win98).
> > > It seems to work fine for the LM7.1 firewall and web server.
> > > The firewall can ping all local machines by name or number,
> > > and can ping outside world and telnet campus account.
> > >
> > > The win98 machine can ping local IP names/numbers but not
> > > to the outside world.
> > >
> > > The NT machine was upgraded to NT-SP6a from SP5 because of
> > > lousy "SureThing labeler" freezing up. I was able to use
> > > and access the internet after the upgrade, until I rebooted
> > > my Linux box... and then nothing. NT can ping local numbers
> > > only and the linux box (ISP DHCP number) but not by name
> > > (except itself), and nothing outside the firewall.
> > > I uninstalled VPN software which was set to use 10.10.10.10
> > > and re-installed latest VMWare, but no changes.
> > >
> > > I have done 'ipchains -F' and reloaded the rc.firewall script
> > > or simply rebooted (many times). Since all win machines are
> > > no longer working (and they were before), I don't think I
> > > can blame them (or M$). The win machines have a static
> > > 192.168.1.x address and gateway set to linux machine 192.168.1.1
> > > and DNS set to outsite ISP values.
> > >
> > > What did I screw up ? Did I miss a file to clear out ?
> > >
> > > Thanks... Dan.
> >
> > Were the above questions/problems too vague or too difficult
> > for any answer ? I have exhausted all testing that I can think
> > of, including leaving firewall wide open. I checked all those
> > "echo 1 >..." for values without the firewall and the only one
> > still set to 1 was "echo 1 > /proc/sys/net/ipv4/tcp_syncookies".
> > Since the LAN machines can ping numbers on LAN but not names,
> > I thought it was DNS but the server can access internet.
> > So it leads me to believe that some file is set somewhere that
> > still has MASQ rules, even if I 'ipchains -F' and reboot with
> > no firewall. I need to do work support from within my LAN's
> > NT machine. I was planning to be working from home this week.
> > Please help me to solve this annoying problem.
> >
> > Thanks... Dan.
Thanks... Dan.
